Version 3.0 of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) goes into effect on January 1, 2014. That is only 45 days from today. The PCI SSC published the 3.0 standards in their document library on Thursday. The changes are suppose to allow for more flexibility, with an increased focus on education, awareness, and security as a shared responsibility.
Companies that accept credit cards will be required to evaluate malware threats for all systems even those not considered to be commonly affected; link other authentication mechanisms to individual accounts and ensure only intended users can gain access; control physical access to sensitive areas for onsite personnel and have a process to authorize access and revoke access immediately upon termination; and protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Other important changes include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS compliance;
- Incorporating the tips and guidance from the Navigating PCI DSS guidance section right into the standard itself;
- More flexibility and education around password strength and complexity;
- New requirements for point-of-sale terminal security;
- More robust requirements for penetration testing and validating segmentation;
- Enhanced testing procedures to clarify the level of validation expected for each requirement; and
- Expanded software development lifecycle security requirements, including threat modeling, for PA-DSS application vendors.
The general manager of the PCI Security Standards Council, Bob Russo, said “Lack of education and awareness; weak passwords, authentication; third-party security challenges; and slow self-detection in response to malware and other threats are some of the key challenge areas that precipitate many of the card security breaches happening today. With these drivers in mind, the changes introduced with version 3.0 are designed to help organizations take a proactive approach to protect card data that focuses on security, not compliance.”
Again the new PCI Data Security Standard 3.0 is available here.